Wednesday, June 18, 2014

Combining sqlmap and Burp for the win

We recently had a vulnerability assessment performed by a
vendor who reported a possible SQL injection in a web application. I
reviewed their results and agreed SQLi was likely due to the application
returning a SQL error message under certain conditions.

Through manual testing, I was able to confirm the application
was vulnerable to SQLi. When I attempted to use sqlmap to automate enumeration
and dumping of the database, however, sqlmap would initially report the
parameter was likely vulnerable, but then later report SQLi was not possible. I
tried setting the --level and --risk parameters to various settings as well as manually
specifying the database type – Microsoft SQL in this case.

While reviewing these results I realized the reason sqlmap
was unable to successfully identify and exploit the SQLi was due to how the
vulnerable parameter was constructed and how sqlmap operates. The application
took several parameters, all enclosed in brackets, a la:

url.asp?x=[value]&y=[value].

Sqlmap operates by appending SQLi code to the end of the parameter or replacing
the parameter entirely. For example, sqlmap may send the following string to
determine if parameter x was vulnerable to a time-based blind SQLi:

url.asp?x=[value'
WAITFOR DELAY '0:0:5'--&y=[value].

Manual testing had shown that a single quote appended to the
parameter value within the brackets
would result in a SQL error message. No matter what I tried, however, sqlmap
was unable to successfully exploit the SQLi and extract the database. As I
mentioned earlier, the application took several parameters enclosed in brackets. In reviewing my
logs, I found that sqlmap wasn’t terminating the parameter with a bracket, as
shown above. This resulted in the application throwing an error because the
parameter wasn’t in the right format, thus the request never made it to the SQL
server, and this is why sqlmap wasn’t able to exploit the SQLi.

I spent some time researching how to append a ] to sqlmap’s
queries, but I couldn’t find any solution. Back to the drawing board. I’ve used
the Match and Replace functionality in Burp’s proxy to manipulate cookie values
to my needs in the past. What if this same functionality could be used to
insert a ] at the end of sqlmap’s attack string?

Since I knew the URL for this particular part of the application
always took the same parameters in the same order, this would be easy to
accomplish. Using the Match and Replace function, I created a new rule using
the Request header type. Since I was testing the x parameter, I needed to
append the ] to sqlmap’s inputbefore y
parameter. To do this, I matched on &y= and set the replace to ]&y=.

A test request from the browser through Burp showed the rule
was now inserting the ] before the y parameter, allowing sqlmap to work
correctly.

The original request:

The modified request:

I fired up sqlmap
one more time. This time, sqlmap was able to properly detect and exploit the
SQLi and extract the database banner and records.

back-end DBMS
operating system: Windows 2003 Service Pack 2

back-end DBMS:
Microsoft SQL Server 2005

banner:

---

Microsoft SQL Server
2005 - 9.00.5057.00 (Intel X86)

Mar 25 2011 13:50:04

Copyright (c) 1988-2005 Microsoft
Corporation

Enterprise Edition on Windows NT 5.2
(Build 3790: Service Pack 2)

---

This was the solution I found to my problem, although I’m
sure there are other ways it could have been solved. If you know of a way to
accomplish this using only sqlmap, I’d love to hear about it.

--------------------------------------------------
UPDATE

Bernardo Damele (@inquisb) pointed out that --suffix would have accomplished the same effect. After reviewing, I agree. Protip: --suffix doesn't show up when using -h to see the options, you need to use -hh to see all options.